mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #15571 from ewindisch/apparmor_denywproc
AppArmor: Deny w to /proc/* files
This commit is contained in:
commit
9bac520c12
2 changed files with 13 additions and 4 deletions
|
@ -40,14 +40,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||||
file,
|
file,
|
||||||
umount,
|
umount,
|
||||||
|
|
||||||
deny @{PROC}/sys/fs/** wklx,
|
deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
|
||||||
deny @{PROC}/fs/** wklx,
|
|
||||||
deny @{PROC}/sysrq-trigger rwklx,
|
deny @{PROC}/sysrq-trigger rwklx,
|
||||||
deny @{PROC}/mem rwklx,
|
deny @{PROC}/mem rwklx,
|
||||||
deny @{PROC}/kmem rwklx,
|
deny @{PROC}/kmem rwklx,
|
||||||
deny @{PROC}/kcore rwklx,
|
deny @{PROC}/kcore rwklx,
|
||||||
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
|
|
||||||
deny @{PROC}/sys/kernel/*/** wklx,
|
|
||||||
|
|
||||||
deny mount,
|
deny mount,
|
||||||
|
|
||||||
|
|
|
@ -2808,6 +2808,18 @@ func (s *DockerSuite) TestAppArmorTraceSelf(c *check.C) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *DockerSuite) TestAppArmorDeniesChmodProc(c *check.C) {
|
||||||
|
testRequires(c, SameHostDaemon, NativeExecDriver, Apparmor)
|
||||||
|
_, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "744", "/proc/cpuinfo")
|
||||||
|
if exitCode == 0 {
|
||||||
|
// If our test failed, attempt to repair the host system...
|
||||||
|
_, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "444", "/proc/cpuinfo")
|
||||||
|
if exitCode == 0 {
|
||||||
|
c.Fatal("AppArmor was unsuccessful in prohibiting chmod of /proc/* files.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (s *DockerSuite) TestRunCapAddSYSTIME(c *check.C) {
|
func (s *DockerSuite) TestRunCapAddSYSTIME(c *check.C) {
|
||||||
testRequires(c, NativeExecDriver)
|
testRequires(c, NativeExecDriver)
|
||||||
|
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue